1. Technical Field
The subject matter disclosed herein relates generally to a transaction authentication system. Specifically, the subject matter disclosed herein relates to detecting man-in-the-middle attacks in electronic transactions using prompts.
2. Related Art
Use of electronic media has quickly become the preferred means for a user to conduct electronic transactions. Users utilize transactions like, online-banking and Internet shopping every day, in order to avoid having to visit a physical location to conduct these transactions. However, these electronic transactions come with a heightened risk, as electronic transactions usually involve proprietary or sensitive information (e.g., bank account numbers, credit card numbers, etc.), collectively known as restricted user information. If a third party were to obtain this restricted user information, that party would be able to conduct transactions, which would typically be restricted, to simultaneously benefit the third party while harming the true owner of that restricted user information.
Third parties may obtain such information by conducting what is called a “man-in-the-middle” attack on an electronic transaction. A man-in-the-middle attack occurs when an third party computer system interposes itself between a user's computer system, used to conduct an electronic transaction, and a service provider's computer system, for providing the service involved in the electronic transaction. While interposed between the user and service provider systems, the third party computer system intercepts the restricted user information and electronic transaction information from the user's computer system, forwards along the gathered information to obtain access to the service providers system using the restricted user information, and conducts a distinct electronic transaction to benefit the third party and not the user. To keep the user from noticing the user's transaction has been interrupted by a man-in-the-middle attack, the third party system sends the user a fraudulent confirmation message or webpage confirming the user's electronic transaction information, when, in fact, a distinct electronic transaction has taken place. When a man-in-the-middle attack occurs, the user has no way of knowing until after the fraudulent electronic transaction has taken place, and the user desired electronic transaction has been discarded by the third party system.